[00:01.960 --> 00:07.380]  Okay. It looks like we are up and going.
[00:07.660 --> 00:15.060]  Hello, everybody. I know the title card said that I was going to be giving the closing speech, and that is still true.
[00:15.160 --> 00:20.480]  But we have one more talk before that, and that is by Ruben Yap from Zcoin.
[00:20.520 --> 00:26.700]  If you don't know Zcoin, it's a coin that's not Monero, so I don't know why he's at the Monero Village.
[00:26.700 --> 00:30.740]  He walked in one day, we took him off the street, and we raised him as our own.
[00:30.740 --> 00:35.660]  So he's going to give a talk about Zcoin and competition to Monero.
[00:35.660 --> 00:39.000]  So I hope everyone sticks around, because it's going to be some good stuff.
[00:39.000 --> 00:41.780]  Passing it over to you, Ruben. Take it away.
[00:41.780 --> 00:49.000]  Thank you. All right. Hello, everyone. My name is Ruben. I am the project steward of Zcoin.
[00:49.180 --> 00:53.480]  And basically what that means is, you know, I'm the caretaker of the project.
[00:53.480 --> 01:02.740]  So first of all, it's super early for me. It's 6 a.m. for me. And yeah, so if I'm a bit slow, please forgive me.
[01:02.980 --> 01:12.560]  And today we are going to talk about ditching op-in privacy to compete with Monero.
[01:12.560 --> 01:19.260]  And to be fair, I was put up to this topic. I had actually a less controversial topic to talk about.
[01:19.260 --> 01:21.340]  But here we go. All right.
[01:22.340 --> 01:27.200]  So, you know, what is exactly the privacy landscape right now?
[01:27.200 --> 01:41.540]  And, you know, it's pretty clear that Monero is the king, not just in market cap, but I guess in like overall privacy and the protection that it provides.
[01:42.980 --> 01:52.880]  And it's a lonely throne, right? And we're going to take a look at why that is the case and why what we at Zcoin are trying to do.
[01:52.880 --> 02:04.040]  So, you know, this is a little table that I built. Some may or may not agree with me.
[02:04.040 --> 02:13.240]  But as you can see, you know, Monero almost scores really highly in many of the stuff that kind of matters as a privacy coin.
[02:13.240 --> 02:20.460]  You know, first of all, you have like the theoretical privacy level, which is, you know, maybe how good is your privacy technology?
[02:20.460 --> 02:30.960]  And although it's kind of long in the tooth, in my personal opinion, RingCT does offer a decent amount of privacy just out of the box.
[02:31.000 --> 02:48.020]  But of course, because, you know, everything is on by default, you know, with staff addressing and in a very high compliance, there is a very high practical privacy level because you're mixing with, you know, lots and lots of different inputs and outputs.
[02:48.020 --> 02:59.260]  It has the team, you know, you have the awesome people at Monero Research Labs who are, you know, conducting independent research full time.
[02:59.260 --> 03:06.120]  It does have recently just added, you know, network layer privacy through Dandelion and it has very high liquidity.
[03:06.120 --> 03:17.080]  And this is actually also important, I guess, liquidity and also transaction volume, right? Because in privacy, you know, anonymity likes a crowd.
[03:17.420 --> 03:27.840]  And obviously, the more people using your platform and the more people trading it, you can transfer value through it and there are more transactions to kind of hide within.
[03:27.840 --> 03:32.900]  So that's also actually an important metric as well, beyond just the technicals.
[03:32.900 --> 03:42.340]  So, you know, this is like, you know, everyone talks about Monero and then, well, what about Zcash? Why do you say that Monero is kind of alone on the throne, right?
[03:42.480 --> 03:51.880]  And Zcash has really interesting technology. You know, they have the highest theoretical privacy level. It's like 2 to the power of 32 or something like that.
[03:51.880 --> 04:07.960]  You know, they have independent research and really good researchers. I don't think they have network layer privacy and they have, you know, pretty decent liquidity in terms of exchanges and also an okay number of transactions that's happening on chain.
[04:07.960 --> 04:17.120]  But the practical privacy level is actually really low because very, very few people use their shared transactions. And we'll talk a little bit about that.
[04:17.860 --> 04:32.720]  Zcoin, you know, we use a kind of a different kind of a zero knowledge proofs to Zcash. I do feel that we offer theoretically a high privacy level, especially as we transition to our new privacy protocol, which we will talk a bit later.
[04:32.720 --> 04:42.840]  But again, because we use op-in privacy and we'll see how bad this is actually that has panned out. The practical privacy level is really low. We do have our own independent research.
[04:42.840 --> 05:04.820]  We have network layer privacy through Dandelion. And okay, our liquidity is fair, our transactions are decent. Of course, there are all these other competitors, especially in like Bain, Green, you know, because whether you agree with me, it's a bit difficult to say whether they have independent research because they don't quite have cryptographers,
[05:04.820 --> 05:28.860]  but they are implementing some unique takes on a certain type of protocols. But, you know, I would say that, you know, basically the main guys are Monero and Zcash. Of course, they are like the Z2Z folks. I think the most famous one would be something like Pirate Chain, which is using ZK-SNARK with like full mandatory privacy.
[05:28.860 --> 05:55.860]  And although they offer very high theoretical privacy level, their practical privacy level is only probably medium only, just because so few people are using them. There are so few places to actually use them, exchange them and everything that the crowd is very, very small. So the theoretical privacy is high, the liquidity is really low. And of course, with Zcash and all that ZK-SNARK, you have all that issue with trusted setup.
[05:56.520 --> 06:20.460]  And I think the best way to kind of illustrate, you know, the difference between theoretical privacy versus practical privacy is that, you know, the Zcash on paper has the best privacy technology, just if you just look at the anonymity set, because it's not mandatory. I don't know what's the exact percentage, but it's super low.
[06:20.460 --> 06:48.360]  And because of that, timing attacks and people having to be very careful about how they properly use shielded transactions or Z2Z transactions for proper privacy becomes really tough. And there was actually this fellow, I think just like one month ago, just one month ago, like a couple of weeks ago, he was like saying, ah, you know, Zcoin's Zcash privacy is the best.
[06:48.360 --> 07:04.560]  And they're saying, you know, he offered a reward of $100 and he said, this is my TX ID. He gave a TX ID. And so he did give some additional information and he said, please trace which T address that I came from.
[07:04.560 --> 07:23.460]  And this guy just from Brian just posted this random T address within a day. And you know, he asked, how did you do it? And it was very simple. All he did wasn't any sort of rocket science. It's just, there's not some advanced guy like Chainalysis or stuff like that.
[07:23.460 --> 07:42.620]  This was just some random Twitter dude, just went on the Explorer and was looking for a transaction that was shielding it and just guess. And that's the problem because so few people are using it. And again, secondly, using it correctly.
[07:42.620 --> 08:10.720]  It was very easy to kind of guess that this was the T address that actually made this shielded address payment. So yeah, this is kind of like a really good illustration of how, you know, he put low usage of the privacy technology and also the way that the setup that makes it hard for newbies to use privacy correctly.
[08:11.520 --> 08:31.740]  And I do think that, you know, like in my personal view, one of the things that Monero does right is that because it's privacy on by default, it's all, there's only one way to do a transaction. So like newbies have a lot of that complexity, you know, kind of abstracted out rather than having to go through several steps.
[08:31.740 --> 08:44.640]  And, you know, this is also a problem with Bitcoin. How do I use it? I go through Wasabi, I go through this, I go through that, you know, privacy should be simple so that, you know, everyone can be protected.
[08:45.640 --> 09:02.480]  So the way, for those of you who don't know what Zcoin is, the way our privacy works is kind of different than let's say Monero. And I guess the basic idea is that you can destroy coins, and then you can redeem them for brand new ones with no previous transaction history.
[09:02.480 --> 09:21.940]  So it's kind of like, you know, you have these coins with all this transaction history, and then you destroy them. And at any time in the future, you kind of present a zero knowledge proof that you didn't burn the coins. And that allows you to redeem brand new coins with no previous transaction history.
[09:21.940 --> 09:42.900]  And the beauty of the zero knowledge proof is that you don't have to show the exact kind of coins you burned. This is what preserves the privacy, rather like the source of the funds. And now with our Lelantis version 2, you don't even need to redeem them for brand new coins. You can actually pass the right to redeem to someone else.
[09:42.900 --> 10:07.040]  Like let's say I don't want to redeem and show that brand new coins, I can give this, like if I burn 10 coins, I can say I pass the right of redemption of 5 coins to someone else, and they can redeem it at their pleasure. Or they can just pass that right to redeem to someone else again. And this is, I guess, almost like equivalent to a Z to Z transaction because it hides both amounts and source as well.
[10:07.040 --> 10:37.020]  And the wonderful thing about our zero knowledge proof technology is that there's no trusted setup and it's using standard cryptographic assumptions. This kind of setup is, I think, also using quite similar cryptography that is being looked at by Monero Research Labs in Arcturus and Tritech, but it's just that the way that we use it with this burn and redeem mechanism is slightly different. And there's certain advantages to that.
[10:37.920 --> 11:03.020]  So, you know, our argument is that this is a better privacy method because, you know, we're not kind of like just... we're not just kind of hiding the crowd. And the way I always kind of explain it is kind of like farts in a lift or, you know, sands on the beach, right? Where if I'm the only person in the lift and I fart, everyone knows that it's me. With Monero, you guys are a bit more sadistic.
[11:03.020 --> 11:27.040]  You drag 10 other people into the lift with you and you fart. So that it's not clear who's farted, you know, which among the 11 people farted. Or with the really sadistic people like MimbaWimba, it's kind of like dragging everyone who wants to fart and we all fart at the same time. So it's not clear who's farted. And that's, I guess, similar with CoinJoint as well.
[11:27.040 --> 11:53.220]  The way we see our technology is that I go into the lift, I let out a fart and I make it disappear. And then I can choose at any time in the future to make that fart appear. And we feel that this is a better privacy approach because now your plausible deniability is anyone who actually ever entered that lift rather than the people that you are in the lift together.
[11:53.220 --> 11:59.280]  And, you know, this kind of privacy mechanism, I feel, holds a lot of promise as well.
[12:00.900 --> 12:21.900]  So let's talk about, you know, we've been around since 2016. And we used something called Zerocoin before, which is why we call it Zcoin. But we actually transitioned to a... Zerocoin did have a trusted setup, but Sigma does not have a trusted setup. And we transitioned to that at the end of 30th of July 2019.
[12:21.900 --> 12:31.280]  So it's almost been about a year plus. And it has been completely opt-in privacy.
[12:32.080 --> 12:44.200]  So how has this gone? You know, this was actually kind of an experiment because previously even with Zerocoin, the way to do the privacy was kind of cumbersome.
[12:44.200 --> 12:57.260]  So not many people were using it. With Sigma, we really simplified the process. You just press the number amount that you want to anonymize rather than selecting individual denominations and just go, bam, it's anonymized.
[12:57.260 --> 13:04.400]  So we actually wanted to see, you know, whether this would encourage better use of the privacy protocol.
[13:04.400 --> 13:23.060]  But only 500,000 Zcoin has gone through Sigma since the launch of Sigma in 30th of July 2019. And that's, I don't know, I think 4.6% of the entire circulating Zcoin that has gone through the system.
[13:23.060 --> 13:37.640]  Now, if you take a look at the figures on the left, so what Mint is like, how many total has Mint and how many total has been redeemed, spent, which is what it is.
[13:37.640 --> 13:56.160]  And I guess I would say that if you just look at the denominations within themselves, the anonymity set for like the set of 100 is anywhere between 217 to 4,269 per transaction that when you do that spend.
[13:56.160 --> 14:14.000]  So it's not bad, but you know, actually the potential of this technology is also a lot higher. And so that means this is with such a low usage of Sigma transactions, you can get this kind of, I guess, anonymity sets.
[14:14.000 --> 14:28.800]  Obviously, it's still not ideal, you know, but I guess it kind of illustrates the difference between what we call like burn and redeem mechanisms and decoy systems where you're always constantly having to find people to mix with you.
[14:28.800 --> 14:34.620]  Because like in the Lyft example, you're constantly finding people to drag people into the Lyft with you.
[14:34.620 --> 14:48.320]  But because we use the usage of fixed denominations, we have to burn and redeem in the fixed denominations, this actual anonymity set may not be as large as people think of it because there are certain patterns.
[14:48.320 --> 15:04.380]  So if people burn a 0.5, a 10, a 25, you know, and then next thing they redeem a 0.5, a 10, a 25, your anonymity set is not just, it's not like 121 and a 25, it's actually the combination of those things.
[15:04.380 --> 15:13.640]  So that actual anonymity set can be a lot lower than, you know, so-called just based on the statistics.
[15:15.140 --> 15:35.940]  So what are we doing to fix this, right? And this is where Lelantis kind of comes in. Lelantis is our new privacy protocol set to go live for the first version, probably at the end of the, I guess the beginning of October-ish.
[15:35.940 --> 15:44.020]  We're going to probably release the binaries around then and then have it live in one month or so or right after that.
[15:44.020 --> 16:01.260]  Now the beauty of Lelantis is that it can support pretty large anonymity sets. Of course, probably not in the range of Zcash, which is like 2 to the power of 382, but we're looking at sets of like 64,000, which isn't bad.
[16:01.260 --> 16:09.100]  And we probably can even bring it like one order of magnitude higher with some small improvements as well.
[16:09.100 --> 16:33.300]  It has no trusted setup. It uses a ZKP code, one out of many proofs, which I think is also the basis for Strippage. And we will be using this finally. We're going to be using it privacy on by default. That means all official wallets will be using, like, anonymizing funds by default so that users don't really have to care too much.
[16:33.300 --> 16:44.620]  But there is still the option to opt out, and we'll probably talk a bit about why we chose that mode to transition into the privacy.
[16:44.620 --> 16:58.480]  The Cryptolibrary was just completed this audit with Trail of Bits, which was actually funded through crowdfunding using the Zerocoin crowdfunding system, which was definitely a fork of the Monero CCS.
[16:58.480 --> 17:21.900]  And the cryptographic paper is being audited by Dmitry Kovratovich. And as you can see, you know, it is, of course, you know, some may argue that the Monero's anonymity set size isn't actually 11 because of the way things combine together. But let's just take it at face value. This is kind of, you know, I think this is a good overview of what the technology does.
[17:21.900 --> 17:42.860]  All right. Now, OK, we have five more minutes. So just to kind of understand, like, how are we actually deploying Lelantis privacy, right? The phase one, as I said, that is happening in October this year gives the ability to burn and redeem without no fixed denominations.
[17:42.860 --> 18:10.940]  Right. You can burn any arbitrary amount. You can redeem any arbitrary amount, even like a partial amount of what you burnt. Right. All official wallets will anonymize funds by default. There's no new address structure. We still use the same address structure. But of course, there's still the opt-out to use transparent because right now, I mean, realistically, you know, we are a smaller coin and, you know, exchanges, they're not going to reinvent everything for us.
[18:10.940 --> 18:36.000]  All the existing integrations that we want, all the certain parts of infrastructure does rely on transparent addresses, transparent funds. So we cannot straight away opt-out, especially with a new addressing system for Lelantis. And we also want to make sure that we have our mobile SDK so that, you know, mobile wallets can also do all these Lelantis transactions as well.
[18:36.000 --> 18:56.300]  We actually do have a privacy on by default mobile wallet maybe coming in the next few weeks for Sigma privacy, not Lelantis. And because there's still no second address structure, there's the requirement to redeem all the time. Some timing attacks are still possible in phase one.
[18:56.300 --> 19:21.060]  Phase two is when it gets really interesting. And that is coming, I would say, maybe sometime in 2021, maybe the second quarter or first quarter, maybe, right? And it introduces direct anonymous payments where, as I was saying, I don't have to redeem the coins, I can pass that right to redeem to someone else, even partially. Amounts and sources are all hidden.
[19:21.060 --> 19:43.840]  And I do think that the privacy offered is really, really high, especially when you see how we implement anonymity sets. And we introduced a new Lelantis addressing system. I guess like if you have Zcash, it's almost like a shielded address system. And what we're going to do is make that the default for all our official wallets.
[19:43.840 --> 20:08.460]  Now, once we have this addressing system, I think then it's a good time to actually start talking about mandatory privacy. That means there's no op-out. There are still some things that we kind of need to figure out because we are being integrated into DeFi. I know Monero guys hate the word DeFi because it's been bandied around a lot.
[20:08.460 --> 20:23.840]  But, you know, we see value in being integrated into stuff like Uniswap to be able to trustlessly do the decentralized exchanges or the use collateral. We want to make Zcoin, I guess, more useful, right?
[20:23.840 --> 20:51.540]  And certain other things like proving times, like for an individual users that's making like a transaction, you know, personal transactions, a few transactions a time, the proving times of like, yeah, one second, two seconds isn't so bad. But if you let's say you're an exchange and you have to send hundreds of transactions, we sometimes we don't know how exchanges would react to that.
[20:51.540 --> 21:17.080]  So there are certain improvements in the pipeline that can actually reduce proving time by an order of magnitude. We actually have a paper out for that called Hierarchica, one of many proofs. But it has to be adapted for Lelantis. And we're also looking for instancing solutions where, you know, I can use a ZKP to kind of get the entire state of Zcoin.
[21:17.080 --> 21:36.840]  And also the Lelantis like anonymity sets. So, you know, to improve usability, to encourage the use of Lelantis or else it'd be just too cumbersome and no one would want to use it. So this is our current plan. And hopefully, you know, we can finally move to privacy on by default.
[21:36.840 --> 21:56.600]  But, you know, there are still some open stuff, but we do want to move to privacy on by default with OpOp definitely for sure at the end of this year. I mean, October-ish. And then we slowly start pushing to mandatory privacy. And we feel that's really going to be important.
[21:56.600 --> 22:23.820]  Now the last thing I want to talk is about anonymity sets because I will, you know, people are saying like, well, you know, what do you mean by you only have an anonymity set of 64,000, right? So kind of think about past 64,000, because of the limitations of the technology of Lelantis right now, stuff starts to take increasingly longer and longer.
[22:24.760 --> 22:41.820]  So that means both proving time and verification time start getting quite a bit more. So we kind of decided to say to cap that set of 64,000 so it does not grow so that the performance would still be acceptable.
[22:41.820 --> 23:02.380]  Now, let's assume that with privacy on by default, with transparency, we have a very, very low estimate of 30% of transactions that are anonymized with current transaction volume. And that will mean to hit that set of 64k would take about, you know, slightly less about like two thirds of a year.
[23:02.520 --> 23:10.680]  And that's assuming about 800 transactions per day. Obviously, if the usage of Zcoin picks up, we're going to see this field a lot faster.
[23:12.120 --> 23:15.300]  And I guess one of the interesting things is that
[23:16.980 --> 23:32.500]  what happens when the set of 64,000 is filled? Am I going to start from zero again? That's obviously a really bad thing because that means for that period of time, did I start a new set? The people using that new set gets very, very little anonymity, right?
[23:32.500 --> 23:48.560]  So we do something what we call a sliding window approach, which is quite clever, where we actually kind of start new anonymity sets with kind of preceded with at least 16,000 commitments that have came from the previous set.
[23:48.560 --> 24:06.380]  And because of the nature of zero-knowledge proofs, where even though you prove that you burnt the coins, no one really knows how much of it actually has been redeemed or rather which one has been redeemed. So you can always take those commitments and place it in a new one.
[24:06.380 --> 24:30.020]  Okay, from this 16,000 that I'm preceding, how many of them has been used? There's no idea for that. So what that means is that once the first set has been seeded, or even the first 16K, the minimum anonymity set for Lelantis never falls below 16,000. So it's from 16,000 to 64,000.
[24:30.020 --> 24:47.800]  So we think that's really good and kind of illustrates one of the benefits of doing this burn and redeem method, rather than compared to Monero, which are just building really, really large rings. I think with Triptych, it's like rings of like 100 or so, if I'm not mistaken.
[24:48.470 --> 25:11.740]  So yeah, this kind of like ends my brief introduction of kind of illustrating why we think that our moving into privacy owned by default, combined with the Lelantis technology would really give, you know, rather than like kind of like just saying that we're a privacy coin, right?
[25:11.740 --> 25:37.200]  Like Zcash, you know, they have all this amazing technology that no one is using. And you're like, why? You know, how can you call yourself a privacy coin if no one's using your privacy, right? And it's not as if Monero's technology is the best. It isn't, you know, even I don't know if everyone would agree with that. It's just more about the overall package and because everyone is using the transactions that makes it as an overall package the best.
[25:37.200 --> 26:01.940]  But if let's say Zcoin moves towards privacy owned by default, and we get significant traction with our privacy protocols, we make it very difficult for users to mess up and to review their privacy. I do think that, you know, I do feel that Lelantis and together, both practical and theoretical kind of come together and really can pose a challenge to Monero.
[26:01.940 --> 26:24.820]  And I hope to see that because I do think that this space really needs better privacy protocols because, you know, Mimba Wimba doesn't cut it. So yeah, I'm not sure how to go about... I'll end this sharing of the screen. And does anyone have any questions?
